Over 46,000 Fake npm Packages Flood Registry in Massive Worm-Like Spam Campaign

Cybersecurity researchers have uncovered a large-scale spam campaign that has inundated the npm registry with over 46,000 fake packages since early 2024, in what appears to be a financially motivated effort. The campaign, dubbed IndonesianFoods, leverages a worm-like propagation mechanism to automatically generate and publish packages, straining the open-source ecosystem and creating supply chain risks.

“The packages were systematically published over an extended period, flooding the npm registry with junk packages that survived in the ecosystem for almost two years,” said Cris Staicu and Kiran Raj of Endor Labs in a Tuesday report.

How the Campaign Works

The IndonesianFoods campaign relies on a distinctive naming convention, using Indonesian names and food terms, and masquerades as legitimate Next.js projects. Each package contains a single JavaScript file, such as auto.js or publishScript.js, which remains dormant until manually executed by a user.

When run, the script removes safeguards in the package.json file, generates random package names and versions, and publishes new packages to npm in an infinite loop, at a rate of roughly 17,000 packages per day. The mechanism creates a self-replicating network, with spam packages referencing each other as dependencies, exponentially increasing registry load.

“This floods the npm registry with junk packages, wastes infrastructure resources, pollutes search results, and creates supply chain risks if developers accidentally install these malicious packages,” said Paul McCarty, SourceCodeRED researcher who first flagged the activity.

Motivation and Impact

Some packages, such as arts-dao and gula-dao, contain a tea.yaml file referencing multiple TEA protocol accounts, suggesting the campaign is monetized through artificially inflating contributions and earning TEA tokens. While no direct credential theft has been observed, the sheer scale of the attack highlights the vulnerability of open-source ecosystems to automated abuse and spam campaigns.

A second variant of the campaign uses random English words for package names, further demonstrating the attackers’ adaptability. Researchers emphasized that traditional security scanners often fail to detect these packages since the malicious code does not execute during installation, evading lifecycle hooks and automated sandboxing.

“The sheer number of packages flagged in the current campaign shows that security scanners must analyze these signals in the future,” said Endor Labs researchers.

Response from GitHub and the Community

GitHub has removed the affected packages from npm and continues to monitor the platform for malicious activity.

“We have disabled malicious npm packages in accordance with GitHub’s Acceptable Use Policies,” a spokesperson said. “We employ manual reviews and at-scale detections using machine learning to mitigate malicious usage of the platform.”

Experts warn that even though the campaign does not currently infiltrate developer machines or steal sensitive data, it demonstrates how trivial it is to disrupt the world’s largest software supply chain, highlighting critical weaknesses in package registry governance and ecosystem security.